CVE-2021-39236
HIGHApache Ozone < 1.2.0 - Authenticated User Impersonation via OM Request
Title source: llmDescription
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.
References (3)
Core 3
Core References
Mailing List, Mitigation, Vendor Advisory x_refsource_misc
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/11/19/7
Exploit issue-tracking
https://issues.apache.org/jira/browse/HDDS-4763
Scores
CVSS v3
8.8
EPSS
0.0064
EPSS Percentile
70.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (2)
apache/ozone
< 1.2.0
org.apache.hadoop/hadoop-ozone-ozone-manager
0 - 1.2.0Maven
Published
Nov 19, 2021
Tracked Since
Feb 18, 2026